Author Archives: Suranga Seneviratne

It’s a scam

Republished from: https://www.sydney.edu.au/news-opinion/news/2024/05/15/it-s-a-scam.html

Securing cyber frontiers

Australians are losing more money to scams than ever before – more than $3 billion a year – in what appears to be a ‘golden age’ for scammers. Cybersecurity expert Dr Suranga Seneviratne is researching ways to outsmart them and to avoid data breaches. He believes scams are about to get more sophisticated, but envisions an increasingly ‘cybersafe’ future.

What scams are currently most common in Australia?

There is a universal pattern of what we call ‘spray and pray’ attacks. These are SMS messages or emails that are crafted in bulk and sent by attackers or organised crime syndicates to millions of people, hoping to catch at least some people. These messages are along the lines of “You missed this delivery” or “We noticed this unusual activity in your bank account”. Or around tax time, there might be messages related to problems with your tax return. Also common are Facebook Marketplace scams using PayID. That’s when the scammer, pretending to be a buyer, tries to convince the seller to accept payments via PayID. They then send a fake email which appears to be from the bank, asking for the payment of a fee to activate or increase the payment limit of PayID.

We’ve also noticed scams moving into other channels. Scams used to be sent via SMS and email – but now they’re increasingly being sent via social media and messenger apps. For example, on WhatsApp, there is this scam along the lines of, “Hey Mum, this is my new phone number, I lost my previous phone. Can you transfer some money?”

What are the key emerging cybersecurity threats?

The thing that keeps me up at night is the impact of generative artificial intelligence (AI) and how it could give scams a significant boost. It’s the automation and scaling up of scams that I’m most concerned about. Phishing and marketplace scams have previously involved human effort. Soon they might be fully automated, executed in good English and personalised to their targets. They’re likely to be using email samples and contextual information from social media posts to mimic the writing style of real people or organisations. Some will use convincing images and even AI-generated voices. All of this will create more persuasive, plausible messages that people tend to believe more.

A hacker used to target one or two businesses, but now they can use an AI-based tool to attack hundreds of businesses overnight. This will create scams on a scale that we haven’t anticipated, and we don’t yet know what impact this will have.

Who is most vulnerable to scams?

I’m most concerned about people who are already experiencing disadvantage – the elderly, immigrants, and people with language problems. They tend to fall victim to these messages because they’re not aware of the patterns and they’re also new to what’s happening in Australia. I can’t conclusively outline the numbers, but in my experience, I have seen more cases in these communities than any other.

Why do people fall for scams?

It’s more psychology than financial desperation. Scammers are highly skilled manipulators who use social engineering and emotional triggers. They take advantage of a lack of awareness or vigilance by people who are leading busy lives. There is often some sort of urgency in the matter, and we tend to want to act because we’re worried and want to respect authority. However, if you have heard about these typical patterns, then you’re more likely to figure out that it’s a scam. In the past, we have mostly tried to push this problem towards the users – the idea being that they fall victim to scams because they don’t know any better. But one thing we firmly believe is that the technological solutions must be also ready to assist them, so that these attempts don’t reach users in the first place – so that is something we are working on.

What research and practical measures are you working on to combat scams?

Cybersecurity has always been an arms race between attackers and researchers. As security researchers, we need to identify vulnerabilities and potential threats before they are exploited, and come up with countermeasures when attackers change their strategies.

Right now, at the University of Sydney, we’re developing AI algorithms to detect freshly launched phishing URLs (website links), in a project funded by the Defence Innovation Network, in collaboration with Thales Australia. Phishing is when attackers attempt to trick users into doing the wrong thing, like clicking a malicious link that will download malware, direct them to a dodgy website, or to a login screen impersonating a popular website.

While many existing solutions can detect phishing emails and SMS messages, attackers can evade them. So we’re working on a solution that analyses the URL information and draws on the capabilities of Large Language Models (AI learning models that are pre-trained on vast amounts of text data to generate new text content) to build better-performing phishing detectors.

We’re also building technologies that will enable companies to collaborate on training their AI models, without revealing their sensitive data. This will enable them to develop what’s called ‘cyberthreat intelligence’, by finding solutions together.

In addition, we’re working to raise awareness about scams in the media, and will be offering more education in the cybersecurity area in future. We need to be instrumental in brushing up people’s skills, for example through micro-credential courses, reaching audiences beyond university students. To deliver this education, we’re building a cyber training lab at the School of Computer Science that will open in early 2024.

How do you envisage the cybersecurity future – will the proliferation of scams ever subside?

I’m not going to say that we will completely outsmart the attackers, but in terms of our skillset as a nation, if we have enough awareness, technology and knowledge – and the workforce to address it – then we should be able to identify scams early. We should be able to get on top of things quickly when attacks happen and respond before they affect many people. Until then, we need to be more vigilant than ever.

Scammers can slip fake texts into legitimate SMS threads. Will a government crackdown stop them?

Suranga Seneviratne, University of Sydney and Carol Hsu, University of Sydney

Are you tired of receiving SMS scams pretending to be from Australia Post, the tax office, MyGov and banks? You’re not alone. Each year, thousands of Australians fall victim to SMS scams. And losses have surged in recent years.

In 2022 SMS scam losses exceeded A$28 million, which is nearly triple the amount from 2021. This year they’ve already reached A$4 million – more than the 2020 total. These figures are probably much higher if you include unreported losses, as victims often won’t speak up due to shame and social stigma.

Last month, the federal government announced plans to fight SMS-based scams by implementing an SMS sender ID registry. Under this system, organisations that want to SMS customers will first have to register their sender ID with a government body.

What kinds of scams would the proposed registry help prevent? And is it too little, too late?

Sender ID manipulation

One of the more concerning types of SMS scams is when fraudulent messages creep into legitimate message threads, making it difficult to differentiate between a legitimate service and a scam.

SMS is an older technology that lacks many modern security features, including end-to-end encryption and origin authentication (which lets you verify whether a message is sent by the claimed sender). The absence of the latter is the reason we see highly believable scams like the one below.

An example of a scam SMS message ending up in a legitimate message thread.
Luu Y Nhi Nguyen

There are two main types of SMS:

peer-to-peer (P2P) is what most people use to send messages to friends and family
application-to-person (A2P) is a way for companies to send messages in bulk through the use of a web portal or application.

The problem with A2P messaging is that applications can be used to enter any text or number (or combination) in the sender ID field – and the recipient’s phone uses this sender ID to group messages into threads.

In the example above, the scammer would have simply needed to write “ANZ” in the sender ID field for their fraudulent message to show up in the real message thread with ANZ. And, of course, they could still impersonate ANZ even if no previous legitimate thread existed, in which case it would show up in a new thread.

Web portals and apps offering A2P services generally don’t do their due diligence and check whether a sender is the actual owner of the sender ID they’re using. There are also no requirements for telecom companies to verify this.

Moreover, telecom providers generally can’t block scam SMS messages due to how difficult it is to distinguish them from genuine messages.

How would sender ID registration help?

Last year the Australian Communications and Media Authority introduced new rules for the telecom industry to combat SMS scams by tracing and blocking them. The Reducing Scam Calls and Scam Short Messages Industry Code required providers to share threat intelligence about scams and report them to authorities.

In January, A2P texting solutions company Modica received a warning for failing to comply with the rules. ACMA found Modica didn’t have proper procedures to verify the legitimacy of text-based SMS sender IDs, which allowed scammers to reach many mobile users in Australia.

Although ACMA’s code is useful, it’s challenging to identify all A2P providers who aren’t following it. More action was needed.

In February, the government instructed ACMA to explore establishing an SMS sender ID registry. This would essentially be a whitelist of all alphanumeric sender IDs that can be legitimately used in Australia (such as “ANZ”, “T20WorldCup” or “Uber”).

Any company wanting to use a sender ID would have to provide identification and register it. This way, telecom providers could refer to the registry and block suspicious messages at the network level – allowing an extra defence in case A2P providers don’t do their due diligence (or become compromised).

It’s not yet decided what identification details an Australia registry would collect, but these could include sender numbers associated with an organisation, and/or a list of A2P providers they use.

So, if there are messages being sent by “ANZ” from a number that ANZ hasn’t registered, or through an A2P provider ANZ hasn’t nominated, the telecom provider could then flag these as scams.

An SMS sender ID registry would be a positive step, but arguably long overdue and sluggishly taken. The UK and Singapore have had similar systems in place since 2018 and last year, respectively. But there’s no clear timeline for Australia. Decision makers must act quickly, bearing in mind that adoption by telecom providers will take time.

Remaining alert

An SMS sender ID registry will reduce company impersonation, but it won’t prevent all SMS scams. Scammers can still use regular sender numbers for scams such as the “Hi Mum” scam.

Also, as SMS security comes under increased scrutiny, bad actors may shift to messaging apps such as WhatsApp or Viber, in which case regulatory control will be challenging.

These apps are often end-to-end encrypted, which makes it very difficult for regulators and service providers to detect and block scams sent through them. So even once a registry is established, whenever that may be, users will need to remain alert.

Suranga Seneviratne, Senior Lecturer – Security, University of Sydney and Carol Hsu, Professor of Business Information Systems, University of Sydney

This article is republished from The Conversation under a Creative Commons license. Read the original article.

COVID, lockdowns, tax time: scammers pose triple threat

Current conditions the perfect ‘breeding ground’ for scams.

The pandemic, ongoing lockdowns and tax return time are leading to a perfect scam storm, says Dr Suranga Seneviratne from the School of Computer Science.

Dr Suranga Seneviratne is a computer scientist and cybersecurity expert from the Faculty of Engineering who warns that conditions caused by the pandemic are leaving Australians vulnerable to a scam surge. He provides timely advice for on how to spot scams and avoid becoming a target.

“The COVID-19 pandemic has hit Australia again. Many of us were caught off guard and we have all had to quickly react and adjust. Changed work conditions – or lack thereof, home-schooling, social isolation and information overload are making many of us,even the tech savvy, vulnerable to scams,” said Dr Suranga Seneviratne.

“Scammers target vulnerability and thrive on disorder – current conditions are the perfect breeding ground for this type of nefarious activity.

“Now, more than ever, we should be on high alert for possible cyber-crime and scam activities targeting us.”

Lessons from lockdown 1.0

“Last year we witnessed several pandemic-specific scamming activities. The early days of the pandemic saw attempts to distribute malware using apps and websites disguised as providing COVID-19 information,” said Dr Seneviratne.

“There were also phone, SMS, and email campaigns around the world where the attackers targeted mobile users with convincing stories, such as pandemic relief packages, test results, information about travel restrictions, and early access to vaccination. During the same time, regular scam activities – such as romance scams and fake advertisements – also increased locally as well as globally.

“For example, according to the Australian Competition and Consumer Commission (ACCC)’s latest report [link?], losses from scam activities sky-rocketed in 2020 – increasing by a staggering 23 percent compared to 2019. The US Federal Trade Commission reported similar trends in the US.”

What’s happening this time around?

Fig 1. A message claiming to be from DHL which contains a link to a fake website. Clicking this link could infect your device with malware, spyware or a virus.

“While it remains to be seen whether scam activities have increased during the current outbreak, there’s evidence that attackers are “seizing the moment” with crafty stories designed to exploit people’s heightened vulnerability,” said Dr Seneviratne.

“Just last month, Australian mobile users were targeted by the ‘Flubot’ scam. Targeted users received a seemingly innocuous SMS with a link to a supposed voice mail message. Once the link was clicked, users were asked to install a voicemail app, which was in fact malware. Some thought this message was related to their COVID test results.

“During the pandemic, people have been getting calls from unknown numbers for all sorts of reasons, and not all of them have been nefarious. This increased communication, coupled with many people being more preoccupied than usual, has caused many otherwise cautious people to absent-mindedly click malware links or answer calls from scammers.

“Business emails have also been compromised by scammers. Some businesses or individuals may be behind their payments due to the pandemic or dealing with challenging remote working conditions. Attackers have been pretending to be suppliers, trying to scam money from businesses.”

“Fake postage or logistic texts and emails, claiming to be DHL, Australia Post and Toll have been rife too, with scammers capitalising on the increase in orders and trade by post.”

“Now that we are in a new financial year, increasingly, scammers are posing as the Australian Taxation Office and are requesting large sums of money. There have also been instances where people have received voicemails telling them they have a warrant out for their arrest because of tax evasion.”

6 top tips for avoiding cyber scams

Fig 2. An email claiming to be Australia Post. Note the actual email address is “AustralianPost@azedf.z-mcit.org.uk”. Be sure to watch out for small details like this.

There are several easy, everyday actions we can all take that can protect us against cybercrime, such as: regularly updating our software; using antivirus solutions; creating secure passwords and; enabling multi-factor authentication.

There are also several scenarios in which you should proceed with caution:

If you receive an unsolicited message with a link, don’t click it. Many text messages appear to be legitimate, but on closer inspection are not (see fig.2).
If you receive a text alerting you to a voicemail, don’t click the link. Instead use your telco provider’s voicemail number to find out if you actually have received one.
The same goes with the bank or other similar institutions. If you get a message, don’t click on it. Instead, directly log into the bank from your computer or the app. Many banks are now moving away from sending texts containing links. Rather they only send messages like “there was some suspicious activity in your account, please log in to your online banking portal and check”.
Never give out your personal information over the phone on an unsolicited call. There are many occasions that we receive legitimate calls from unexpected numbers at unexpected times. However, if you give away personal information over the phone, it is strongly recommended that you first verify the identity of the other party. For example, if the person claims to be calling from the bank, ask for their name and enquire as to their request, then hang up and call the bank at a verified number and corroborate these details – the bank will be able to tell you if this was a legitimate request.
Check email sender information.
While email filtering solutions are doing a reasonable job in preventing bulk phishing attempts from entering your inbox, highly targeted phishing and scam attempts can still make it into your inbox. Always check the email address of the sender and do a verification of whether it is really coming from the person it claims to be. For example, if one of your work colleagues emails asking for an urgent financial favour, verify whether it is the correct email. These phishing attempts will often get the names and contact information correct and combine it with a plausible story, but if you inspect closely you will realise the email address is not the one you know. For example, a fake University of Sydney email address might read: john.Appleseed@sydney.au.edu or john.appleseed@sydney.co.

Especially on mobile devices, attacks often manipulate sender names so you only see part of the sender name, such as “Australia Post”. But when you expand the actual email address, such emails will not have a valid Australia Post domain name (See Fig.2)
Remember everyone is vulnerable to being scammed. While all of this may seem obvious and straightforward, many tech-savvy people have fallen victim to these simple tricks and heightened stress is making us all more susceptible.

Originaly posted at https://www.sydney.edu.au/news-opinion/news/2021/09/23/covid–lockdowns–tax-time–scammers-pose-triple-threat.html

Cybersecurity trends in 2020

What will 2020 have in store for cybersecurity? Tighter regulation, increasingly sophisticated attacks on key infrastructure and AI-driven cyber warfare, according to Dr Suranga Seneviratne from the School of Computer Science.

Internet of (Insecure) Things

“Internet-of-Things technology is becoming increasingly popular, with smart home devices on the rise in Australia,” said cybersecurity expert from the University of Sydney’s School of Computer Science, Dr Suranga Seneviratne.

“Domestically, the household Internet of Things market reached $1.1 billion in 2018, which was a 57 percent increase compared to the previous year.

“We can’t deny IoT’s ubiquity, but are all these devices really secure? Are we opening up our houses to attackers to build botnets (ie: secretly using our smart home devices to attack other internet hosts), steal our data, or worse, control our houses?

“Perhaps it’s time we looked at enforcing stricter regulations to make these devices more secure, which is already happening in the UK and US. The draft Australian Voluntary Code of Practice: Securing the Internet of Things for Consumers is definitely a step in the right direction.”

Tech giants under scrutiny: what to expect

“Under the European Union’s General Data Protection Regulation (GDPR) framework we saw some big tech companies being held accountable for collecting personal data without proper consent,” said Dr Seneviratne.

“The Cambridge Analytica incident also generated a much-needed and overdue discourse on how to collect and handle personal data.

“In California, where the majority of US tech-companies are based, the CCPA (California Consumer Privacy Act) will come into effect from January 2020.

“Yet, globally, we still don’t have a proper framework on how to balance the trade-offs between privacy and consumer utility, particularly with data that’s stored remotely. Will storing data on devices finally become trendy?”

Cyberthreats on critical infrastructure — are we ready?

“This year we witnessed several global attack attempts on critical infrastructure, such as electrical grids and government services. These attacks are likely to become more frequent, more sophisticated and increasingly politically motivated,” said Dr Seneviratne.

“While it is important for governments and businesses to take all possible measures to detect and prevent these attacks, they must begin preparing for worst-case scenarios. In 2015 Ukraine bore the first ever attack of this kind. Attackers were able to disrupt the power supply of more than 200,000 people for a few hours.

“Do governments and large service providers have proper incident response protocols in place to prevent such attacks? Are employees well trained to handle such threats? In some cases, the way we react to an attack could make things far worse.”

AI-driven security and privacy threats

“Artificial intelligence is becoming pervasive: already we’ve witnessed demonstrations that have used AI to bypass CAPTCHA and facial-recognition software. For example, on one occasion, researchers showed how specially printed patterns on spectacle frames could trick state-of-the-art commercial facial recognition systems to think the wearer was someone else,” said Dr Seneviratne.

“It can be expected that these attacks will soon go beyond prototypes and into the real world, with hackers using AI to circumvent traditional antivirus solutions, such as malware detection systems and intrusion detection systems.”

Define: Internet of Things

The Internet of Things, or IoT, are physical devices that collect and share data and are connected to the internet. They include devices like smart speakers, televisions, and even fridges.

Originally posted at https://www.sydney.edu.au/news-opinion/news/2020/01/07/cybersecurity-trends-in-2020.html

The ugly truth: tech companies are tracking and misusing our data, and there’s little we can do

While leaks and whistleblowers continue to be valuable tools in the fight for data privacy, we can’t rely on them solely to keep big tech companies in check.

Suranga Seneviratne, University of Sydney

As survey results pile, it’s becoming clear Australians are sceptical about how their online data is tracked and used. But one question worth asking is: are our fears founded?

The short answer is: yes.

In a survey of 2,000 people completed last year, Privacy Australia found 57.9% of participants weren’t confident companies would take adequate measures to protect their data.

Similar scepticism was noted in results from the 2017 Australian Community Attitudes to Privacy Survey of 1,800 people, which found:

• 79% of participants felt uncomfortable with targeted advertising based on their online activities

• 83% were uncomfortable with social networking companies keeping their information

• 66% believed it was standard practice for mobile apps to collect user information and

• 74% believed it was standard practice for websites to collect user information.

Also in 2017, the Digital Rights in Australia report, prepared by the University of Sydney’s Digital Rights and Governance Project, revealed 62% of 1,600 participants felt they weren’t in control of their online privacy. About 47% were also concerned the government could violate their privacy.

The ugly truth

Lately, a common pattern has emerged every time malpractice is exposed.

The company involved will provide an “opt-out” mechanism for users, or a dashboard to see what personal data is being collected (for example, Google Privacy Checkup), along with an apology.

If we opt-out, does this mean they stop collecting our data? Would they reveal collected data to us? And if we requested to have our data deleted, would they do so?

To be blunt, we don’t know. And as end users there’s not much we can do about it, anyway.

When it comes to personal data, it’s extremely difficult to identify unlawful collections among legitimate collections, because multiple factors need to be considered, including the context in which the data is collected, the methodology used to obtain user consent, and country-specific laws.

Also, it’s almost impossible to know if user data is being misused within company bounds or in business-to-business interactions.

Despite ongoing public outcry to protect online privacy, last year we witnessed the Cambridge Analytica scandal, in which a third party company was able to the gather personal information of millions of Facebook users and use it in political campaigns.

Earlier this year, both Amazon and Apple were reported to be using human annotators to listen to personal conversations, recorded via their respective digital assistants Alexa and Siri.

More recently, a New York Times article exposed how much fine granular data is acquired and maintained by relatively unknown consumer scoring companies. In one case, a third-party company knew the writer Kashmir Hill used her iPhone to order chicken tikka masala, vegetable samosas, and garlic naan on a Saturday night in April, three years ago.

At this rate, without any action, scepticism towards online privacy will only increase.

History is a teacher

Early this year, we witnessed the bitter end of the Do-Not-Track initiative. This was proposed as a privacy feature where requests made by an internet browser contained a flag, asking remote web servers to not track users. However, there was no legal framework to force web server compliance, so many web servers ended up discarding this flag.

Many companies have made it too difficult to opt-out from data collections, or request the deletion of all data related to an individual.

For example, as a solution to the backlash on human voice command annotation, Apple provided an opt-out mechanism. However, doing this for an Apple device is not straightforward, and the option isn’t prominent in the device settings.

Also, it’s clear tech companies don’t want to have opting-out of tracking as users’ default setting.

It’s worth noting that since Australia doesn’t have social media or internet giants, much of the country’s privacy-related debates are focused on government legislation.

Are regulatory safeguards useful?

But there is some hope left. Some recent events have prompted tech companies to think twice about the undeclared collection of user data.

For example, a US$5 billion fine is on air for Facebook, for its role in the Cambridge Analytica incident, and related practices of sharing user data with third parties. The exposure of this event has forced Facebook to take measures to improve its privacy controls and be forthcoming with users.

Similarly Google was fined EU$50 million under the General Data Protection Regulation by French data regulator CNIL, for lack of transparency and consent in user-targeted ads.

Like Facebook, Google responded by taking measures to improve the privacy of users, by stopping reading our e-mails to provide targeted ads, enhancing its privacy control dashboard, and revealing its vision to keep user data in devices rather than in the cloud.

No time to be complacent

While it’s clear current regulatory safeguards are having a positive effect on online privacy, there is ongoing debate about whether they are sufficient.

Some have argued about possible loopholes in the European Union’s General Data Protection Regulation, and the fact that some definitions of legitimate use of personal data leave room for interpretation.

Tech giants are multiple steps ahead of regulators, and are in a position to exploit any grey areas in legislation they can find.

We can’t rely on accidental leaks or whistleblowers to hold them accountable.

Respect for user privacy and ethical usage of personal data must come intrinsically from within these companies themselves.

Suranga Seneviratne, Lecturer – Security, University of Sydney

This article is republished from The Conversation under a Creative Commons license. Read the original article.

How to stay safe online

School of Computer Science academic, Dr Suranga Seneviratne shares his advice on how to stay safe online to avoid malware and hackers corrupting your devices.

Dr Seneviratne shares his 8 tips for staying safe online — and they’re easier to follow that you might think.

1. Keep your devices up-to-date

“If a manufacturer or Operating System provider recommends a software update for any device you use, be it a laptop, desktop, tablet, or smartphone, simply do it,” said Dr Suranga Seneviratne.

“These updates can contain important security patches for recently discovered vulnerabilities. Updating software will keep your devices safe,” he said.

2. Use more than one trusted security software

“Use several trusted security software such as antivirus, internet or browser security (for example, a browser plugin that will warn you about harmful websites), and a password vault to manage your passwords. But do your due diligence and select this software carefully. Read reviews and stick to well established providers. Be cautious, especially if you are thinking of using free security software,” said Dr Seneviratne.

3. Enable multi-factor authentication

“If you are connecting to your online services from a range of devices it might be worthwhile to enable multi-factor authentication such as SMS codes or use of a security key. This means a hacker cannot simply log in to your account using just a password,” he said.

4. Don’t use untrusted WiFi networks

“It might be tempting to use free WiFi networks, especially when you are on the move or travelling overseas without mobile coverage,” said Dr Seneviratne.

“Free WiFi could be a gateway for malicious behaviour. Be extra careful when using these networks and always use a VPN by a trusted provider,” he said.

5. Don’t open email attachments from unknown senders

“Be mindful in opening email attachments as they can contain software that can infiltrate your device,” warned Dr Seneviratne.

“It is highly recommended that you don’t open email attachments from unknown sources. Even if you have the slightest doubt about an attachment, always verify with the senders. If you can’t find their number or details online, delete the email,” he said.

6. Research software and apps before installing

“Not all software and apps are secure. A high number of smartphone apps are counterfeit and riddled with nefarious software. Stick to the official app stores and read reviews before you install anything,” he said.

7. Be vigilant when it comes to phone scams

“Over $100 million has been lost to scams this year in Australia. Phone scams are a popular choice for scammers as they employ emotional tactics to lure their victims into giving up huge sums of money,” explained Dr Seneviratne.

“Never share any of your user credentials over the phone. Most of the legitimate providers don’t ask for your login credentials over the phone. So always remember, if you receive a phone call asking for information to fix a problem on your account, it’s probably a scam,” he said.

8. Update Smart TVs, WiFi routers, and other devices

“Did you know that even your smart TV or WiFi router can be a target for hackers and scammers? As a habit, log in regularly and perform routine check-ups,” said Dr Seneviratne.

“See whether there are pending software updates, change the passwords periodically, and check for any security notifications. It is very easy to set up these devices once and totally forget about them, but even they can be used by hackers to access your personal information or gain entry to your private networks,” he concluded.

Originally posted at https://www.sydney.edu.au/news-opinion/news/2019/10/11/how-to-stay-safe-online.html

Some cybersecurity apps could be worse for privacy than nothing at all

Apple has removed several security tools from the Mac app store after they were found to be collecting unnecessary personal data.

Suranga Seneviratne, University of Sydney

It’s been a busy few weeks for cybersecurity researchers and reporters. There was the Facebook hack, the Google plus data breach, and allegations that the Chinese government implanted spying chips in hardware components.

In the midst of all this, some other important news was overlooked. In early September, Apple removed several Trend Micro anti-malware tools from the Mac app store after they were found to be collecting unnecessary personal information from users, such as browser history. Trend Micro has now removed this function from the apps.

It’s a good reminder that not all security apps will make your online movements more secure – and, in some cases, they could be worse than doing nothing at all. It’s wise to do your due diligence before you download that ad-blocker or VPN – read on for some tips.

Security apps

There are range of tools people use to protect themselves from cyber threats:

Virtual private networks (VPNs) allow you to establish a secure connection with a remote server and route all your traffic through it so it can’t be tracked by your internet service provider. VPNs are commonly used to access geo-blocked content, and for additional privacy.
Ad-blockers prevent advertisements from appearing on the websites you visit.
App-lockers allow you to set passwords for individual apps. For example, if somebody borrowed your phone to make a call, and then tried to access your Facebook app.
Tor hides your identity while you browse the internet, by encrypting and moving your traffic across multiple Tor nodes.

Know the risks

There are multiple dangers in using these kinds of security software, especially without the proper background knowledge. The risks include:

Accessing unnecessary data

Many security tools request access to your personal information. In many cases, they need to do this to protect your device. For example, antivirus software requires information such as browser history, personal files, and unique identifiers to function. But in some cases, tools request more access than they need for functionality. This was the case with the Trend Micro apps.

Creating a false sense of security

It makes sense that if you download a security app, you believe your online data is more secure. But sometimes mobile security tools don’t provide security at the expected levels, or don’t provide the claimed services at all. If you think you can install a state-of-the-art mobile malware detection tool and then take risks online, you are mistaken.

For example, a 2017 study showed it was not hard to create malware that can bypass 95% of commercial Android antivirus tools. Another study showed that 18% of mobile VPN apps did not encrypt user traffic at all. And if you are using Tor, there are many mistakes you can make that will compromise your anonymity and privacy – especially if you are not familiar with the Tor setup and try to modify its configurations.

Lately, there have been reports of fake antivirus software, which open backdoors for spyware, ransomware and adware, occupying the top spots on the app charts. Earlier this year it was reported that 20 million Google Chrome users had downloaded fake ad-blocker extensions.

Software going rogue

Numerous free – or paid – security software is available in app stores created by enthusiastic individual developers or small companies. While this software can provide handy features, they can be poorly maintained. More importantly, they can be hijacked or bought by attackers, and then used to harvest personal information or propagate malware. This mainly happens in the case of browser extensions.

Know what you’re giving away

The table below shows what sort of personal data are being requested by the top-10 antivirus, app-locker and ad-blocking apps in the Android app store. As you can see, antivirus tools have access to almost all the data stored in the mobile phone.

That doesn’t necessarily mean any of these apps are doing anything bad, but it’s worth noting just how much personal information we are entrusting to these apps without knowing much about them.

How to be safer

Follow these pointers to do a better job of keeping your smart devices secure:

Consider whether you need a security app

If you stick to the official apps stores, install few apps, and browse only a routine set of websites, you probably don’t need extra security software. Instead, simply stick to the security guidelines provided by the manufacturer, be diligent about updating your operating system, and don’t click links from untrusted sources.

If you do, use antivirus software

But before you select one, read product descriptions and online reviews. Stick to solutions from well-known vendors. Find out what it does, and most importantly what it doesn’t do. Then read the permissions it requests and see whether they make sense. Once installed, update the software as required.

Be careful with other security tools

Only install other security tools, such as ad-blockers, app-lockers and VPN clients, if it is absolutely necessary and you trust the developer. The returns from such software can be minimal when compared with the associated risks.

Suranga Seneviratne, Lecturer – Security, University of Sydney

This article is republished from The Conversation under a Creative Commons license. Read the original article.